Home/ Questions/Q 7056529
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-28T03:52:40+00:00

Is there a difference if a parameter of a POST-form is placed in the

  • 0

Is there a difference if a parameter of a POST-form is placed in the query string:

<form action="mysite.com/index.php?myparam=myvalue">
    ...more inputs here
</form>

and placing it as a hidden input?

<form action="mysite.com/index.php">
    <input type="hidden" value="myvalue">
    ...more inputs here
</form>

I’m using Joomla, but it’s totally unrelated actually. I see that there’s a bit of “here and there” in their tutorials, but does it actually matter? What are the implications if I use either one?

NOTE: I forgot to place action=post in the forms which has changed the question totally. however, with the arrival of interesting answers which answered more than just my question, I decided to leave them as is.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Yes, there is a difference, technically and conceptually. The way that difference affects you depends on the application server that handles the request (well, and on your preferences, of course).

    Technical difference:

    In most application servers, the source of a parameter (URL or FORM) determines where they end up. In PHP, url parameters go in the $_GET and form fields in the $_POST superglobals, respectively. If you don’t care about the technical difference, there is a $_REQUEST superglobal for your convenience.

    Conceptional difference:

    It is most logical to make a difference between two types of request parameters:

    • Such that are required to render a page, i.e. they don’t change anything in the database if you send the request again.
    • Such that change the database, i.e. are destructive (they are the reason why browsers ask if you are okay with posting a page again if you hit refresh).

    The former ones are called idempotent and should be transferred via GET. A good example would be a search string or a record ID. No matter how often your hit refresh, the database stays untouched.

    The other kind of parameter is data that should be stored in the DB. It would be destructive in the sense that it actually changes database contents. These parameters should be transferred via POST.

    By the way, this is also a good way to decide if your form should be method="GET" or method="POST": Whenever form input is idempotent on the database, use a GET form. For example a user search form should be GET, a user preferences form should be POST.

    Now you could argue that in your case the record ID is idempotent, but the other bits of information in your form are not. In this case I find it most idiomatic to use

    <form action="mysite.com/index.php?id=1234" method="POST">
    <!-- ...more inputs here -->
</form>

    since a GET mysite.com/index.php?id=1234 would request that very record.

    There is no need to do it that way, though – of course you can post the ID as a hidden input.

    Two things you should be aware of, though:

    • In this case the HTTP server logs would not show evidence of which record the user posted to (if you care for that).
    • This kind of separation only works for POST forms. GET forms ignore the parameters in action attribute, you must specify all of them in as hidden input fields.
    • 0